Stefan Eissing [Wed, 17 Jan 2024 08:38:02 +0000 (08:38 +0000)]
*) mod_http2: v2.0.26 with the following fixes:
- Fixed `Date` header on requests upgraded from HTTP/1.1 (h2c). Fixes
<https://github.com/icing/mod_h2/issues/272>.
- Fixed small memory leak in h2 header bucket free. Thanks to
Michael Kaufmann for finding this and providing the fix.
Yann Ylavic [Tue, 16 Jan 2024 17:40:36 +0000 (17:40 +0000)]
mod_headers: Avoid infinite recursion with the edit* action and empty matches.
Change the recursion used for edit* to a loop using the new ap_regexec_ex()
function taking the current position (offset) in the subject string.
After an empty match do the same thing as pcre2_substitute() (or Perl's /g),
that is: don't allow for another empty match at the same positition by setting
the AP_REG_NOTEMPTY_ATSTART option. If there is a non-empty match use it,
otherwise skip/consume the first character and continue from there.
* modules/metadata/mod_headers.c:
Rename the hdr_edit_r enum for edit* to hdr_edit_all to better express what
is does (and since the action is not recursive anymore).
* modules/metadata/mod_headers.c(push_string, push_match):
New helpers to consume the subject and substitutions in an array of iovec.
* modules/metadata/mod_headers.c(process_regexp):
Implement the new logic, using push_match() and push_string() to fill the
iovec array finally passed to apr_strcatv() for the resulting string.
Yann Ylavic [Tue, 16 Jan 2024 16:51:03 +0000 (16:51 +0000)]
regex: Add ap_regexec_ex() which can take a starting offset to match from.
* include/ap_mmn.h:
Bump MMN minor.
* include/ap_regex.h:
Declare ap_regexec_ex().
* server/util_pcre.c(ap_regexec, ap_regexec_len, ap_regexec_ex):
Reuse existing ap_regexec_len() code to implement ap_regexec_ex() where the
offset is given instead of zero, then implement ap_regexec{,len}() in terms
of ap_regexec_ex().
Joe Orton [Wed, 20 Dec 2023 15:56:15 +0000 (15:56 +0000)]
* modules/http/chunk_filter.c (ap_http_chunk_filter): For a brigade
containing [FLUSH EOS], insert the last-chunk terminator before the
FLUSH rather than between the FLUSH and the EOS.
Joe Orton [Thu, 7 Dec 2023 18:29:15 +0000 (18:29 +0000)]
* modules/dav/main/util.c (dav_validate_resource_state): Fix error
message formatting if an unauthenticated user tries to use an
authenticated user's lock token (cosmetic fix only).
Joe Orton [Thu, 7 Dec 2023 18:25:35 +0000 (18:25 +0000)]
mod_dav_fs: Add global mutex around use of lockdb use, since
apr_dbm does not provide thread-safe locking:
* modules/dav/fs/mod_dav_fs.c (dav_fs_get_server_conf):
Replaces dav_get_lockdb_path.
(dav_fs_pre_config, dav_fs_child_init): New hooks.
(dav_fs_post_config): Create & store the mutex here.
(register_hooks): Register new hooks.
* modules/dav/fs/repos.h: Expose new dav_fs_server_conf struct.
* modules/dav/fs/lock.c (dav_fs_lockdb_cleanup): New cleanup
which unlocks and closes the dbm handle.
(dav_fs_really_open_lockdb): Lock the mutex here, register a
cleanup.
(dav_fs_open_lockdb): Adjust to use dav_fs_get_server_conf.
(dav_fs_close_lockdb): Run the cleanup here.
Joe Orton [Tue, 5 Dec 2023 15:26:22 +0000 (15:26 +0000)]
mod_ssl: Add support for loading keys from OpenSSL 3.x providers via
the STORE API. Separates compile-time support for the STORE API
(supported in 3.x) from support for the ENGINE API (deprecated in
3.x).
* modules/ssl/ssl_private.h: Define MODSSL_HAVE_OPENSSL_STORE for
OpenSSL 3.0+.
* modules/ssl/ssl_engine_pphrase.c (modssl_load_store_uri,
modssl_load_keypair_store): New functions.
(modssl_load_keypair_engine): Renamed from modssl_load_keypair_engine.
(modssl_load_engine_keypair): Reimplement to use new STORE-based
functions if SSLCryptoDevice was not configured, or else old
ENGINE implementation.
* modules/ssl/ssl_util.c (modssl_is_engine_id): Match pkcs11: URIs
also for the OpenSSL 3.x STORE API.
* modules/ssl/ssl_engine_init.c (ssl_init_server_certs): Tweak log
message on error paths for the provider/STORE case.
Graham Leggett [Sun, 19 Nov 2023 10:45:05 +0000 (10:45 +0000)]
Apply earlier fix to the ldapsearch case:
Arrange for backend LDAP connections to be returned
to the pool by a fixup hook rather than staying locked
until the end of (a potentially slow) request.
Yann Ylavic [Sat, 18 Nov 2023 13:49:04 +0000 (13:49 +0000)]
mod_proxy: Follow up to r1912245: ap_proxy_ prefix for extern functions.
Even if they are not part of the API (not in mod_proxy.h) hence requires no
MMN bump, {get,set,increment_,decrement_}busy_count() being AP_PROXY_DECLARE()d
could name-collide with a third-party module's functions.
Rename them using the ap_proxy_ prefix, with an underscore after the verb for
for all of them too (for consistency), that is:
ap_proxy_{get,set,increment,decrement}_busy_count()
Yann Ylavic [Thu, 16 Nov 2023 14:58:52 +0000 (14:58 +0000)]
Follow up to r1874101: Axe useless LIBRESSL_VERSION_NUMBER check.
Since the fix to MODSSL_USE_OPENSSL_PRE_1_1_API in r1908537, we are sure that
!defined(LIBRESSL_VERSION_NUMBER) || LIBRESSL_VERSION_NUMBER < 0x2070000fL
in this block.
Yann Ylavic [Thu, 16 Nov 2023 10:27:30 +0000 (10:27 +0000)]
ci: Disable ASan's LeakSanitizer.
The tool sometimes/somehow crashes in CI, though I can't reproduce locally.
Possibly an issue with the gcc toolchain used there.. disable for now as it
makes the tests fail.
Yann Ylavic [Wed, 15 Nov 2023 22:09:05 +0000 (22:09 +0000)]
mod_ssl: Disable the OpenSSL ENGINE API when OPENSSL_NO_ENGINE is set. PR 68080
Also, always allow for "SSLCryptoDevice builtin" even if the ENGINE API is not
available, OPENSSL_NO_ENGINE or more generally with the new API (providers)
available since OpenSSL >= 3.
* ssl_private.h: Set MODSSL_HAVE_ENGINE_API to 0 if OPENSSL_NO_ENGINE.
* mod_ssl.c, ssl_engine_config.c: Don't depend on HAVE_OPENSSL_ENGINE_H and
HAVE_ENGINE_INIT to provide [ssl_cmd_]SSLCryptoDevice.
Stefan Eissing [Tue, 31 Oct 2023 10:24:11 +0000 (10:24 +0000)]
* mod_md: Fix the reported "until" validity of a certificate in the status
handler. [Rainer Jung]
Fix possible NULL deref when logging the error that an authentication
resource could not be retrieved from the ACME server. [Stefan Eissing]
Joe Orton [Mon, 16 Oct 2023 13:10:16 +0000 (13:10 +0000)]
Fix h2 build broken in r1913019:
* modules/http2: Make WebSockets support conditional also
on APR 1.7.x since apr_encode.h is required. Restore
#include "apr_encode.h" removed in previous commit.
Joe Orton [Tue, 3 Oct 2023 12:58:16 +0000 (12:58 +0000)]
mod_dav_fs: add DAVLockDBType directive.
* modules/dav/fs/dbm.c (dav_dbm_open_direct): Take a dbmtype argument
and use it to select the apr_dbm driver type.
(dav_dbm_open): Continue to use the "default" propdb type to open
the property databases.
* modules/dav/fs/lock.c: Store and pass through the lockdb_type
through.
* modules/dav/fs/mod_dav_fs.c (dav_get_lockdb_path): Return the dbm
type via an output argument.
(dav_fs_cmd_davlockdbtype): New config directive.
(dav_fs_merge_server_config): Merge the dbm type.
(dav_fs_post_config): Set the default lockdb type.
* modules/dav/fs/repos.h: Update prototypes as above; internal API
only so no compat concerns.
Joe Orton [Thu, 28 Sep 2023 08:11:30 +0000 (08:11 +0000)]
* modules/dav/fs/dbm.c (dav_dbm_open_direct): Test against
APR_MAJOR_VERSION, APU_MAJOR_VERSION is not defined for APR trunk
since the #include <apu_version.h> is conditional on APR < 2.
Joe Orton [Fri, 22 Sep 2023 09:31:22 +0000 (09:31 +0000)]
* modules/dav/fs/dbm.c (dav_fs_dbm_error, dav_dbm_open_direct): Remove
error message references to "property" databases since these
functions are used for both propdbs and the lock database.
mod_proxy: Allocate and pnitialize the workers and balancers on pconf.
On ungraceful restart, pchild might be destroyed without waiting for the MPM
threads, just before exit()ing but still there is a window where threads may
be using its data still.
Avoid possible exit path crashes by basing the workers/balancers on pconf,
which is not destroyed in children processes.
While at it, avoid the duplication of the generic "forward" worker for each
server(_rec), there can be a single instance like the generic "reverse"
worker.
mod_proxy: Add ap_proxy_worker_get_name() and deprecate ap_proxy_worker_name().
The latter requires a pool and returns a non constant string although it may
return worker shared data.
By computing the worker "UDS" name at init time we can return a constant name
in any case with no need for a pool, that's the new ap_proxy_worker_get_name().
mod_proxy: Handle backend address renewal with address_ttl= parameter.
Define a new proxy_address struct holding the current/latest sockaddr in use
by each proxy worker and conn. Since backend addresses can be updated when
their TTL expires and while connections are being processed, each address is
refcounted and freed only when the last worker (or conn) using it grabs the
new one.
The lifetime of the addresses is handled at a single place by the new
ap_proxy_determine_address() function. It guarantees to bind the current/latest
backend address to the passed in conn (or do nothing if it's up to date already).
The function is called indirectly by ap_proxy_determine_connection() for the
proxy modules that use it, or directly by mod_proxy_ftp and mod_proxy_hcheck.
It also is called eventually by ap_proxy_connect_backend() when connect()ing all
the current addresses fails, to check (PROXY_DETERMINE_ADDRESS_CHECK) if some
new addrs are available.
This commit is also a rework of the lifetime of conn->addr, conn->hostname
and conn->forward, using the conn->uds_pool and conn->fwd_pool for the cases
where the backend is connected through a UDS socket and a remote CONNECT proxy
respectively.
* include/ap_mmn.h:
Minor bump for new function/fields.
* modules/proxy/mod_proxy.h (struct proxy_address,
ap_proxy_determine_addresss()):
Declare ap_proxy_determine_addresss() and opaque struct proxy_address,
new fields to structs proxy_conn_rec/proxy_worker_shared/proxy_worker.
* modules/proxy/mod_proxy.c (set_worker_param):
Parse/set the new worker->address_ttl parameter.
* modules/proxy/proxy_util.c (proxy_util_register_hooks(),
ap_proxy_initialize_worker(),
ap_proxy_connection_reusable(),
ap_proxyerror(), proxyerror_core(),
init_conn_pool(), make_conn_subpool(),
connection_make(), connection_cleanup(),
connection_constructor()):
Initialize *proxy_start_time in proxy_util_register_hooks() as the epoch
from which expiration times are relative (i.e. seconds stored in an uint32_t
for atomic changes).
Make sure worker->s->is_address_reusable and worker->s->disablereuse are
consistant in ap_proxy_initialize_worker(), thus no need to check for both
in ap_proxy_connection_reusable().
New proxyerror_core() helper taking an apr_status_t to log, wrap in
ap_proxyerror().
New make_conn_subpool() to create worker->cp->{pool,dns} with their own
allocator.
New connection_make() helper to factorize code in connection_cleanup() and
connection_constructor().
* modules/proxy/proxy_util.c (proxy_address_inc(), proxy_address_dec(),
proxy_address_cleanup(), proxy_address_set_expired(),
worker_address_get(), worker_address_set(),
worker_address_resolve(), proxy_addrs_equal(),
ap_proxy_determine_address(),
ap_proxy_determine_connection(),
ap_proxy_connect_backend()):
Implement ap_proxy_determine_address() using the above helpers for atomic changes,
and call it from ap_proxy_determine_connection() and ap_proxy_connect_backend().
* modules/proxy/mod_proxy_ftp.c (proxy_ftp_handler):
Use ap_proxy_determine_address() and use the returned backend->addr.
* modules/proxy/mod_proxy_hcheck.c (hc_determine_connection, hc_get_backend,
hc_init_worker, hc_watchdog_callback):
Use ap_proxy_determine_address() in hc_determine_connection() and call the
latter from hc_get_backend(), replace hc_init_worker() by hc_init_baton()
which now calls hc_get_hcworker() and hc_get_backend() to resolve the first
address at init time.
* modules/proxy/mod_proxy_http.c (proxy_http_handler):
Use backend->addr and ->hostname instead of worker->cp->addr and
worker->s->hostname_ex respectively.
* modules/proxy/mod_proxy_ajp.c (ap_proxy_ajp_request):
Use backend->addr and ->hostname instead of worker->cp->addr and
worker->s->hostname_ex respectively.
projects / thirdparty / apache / httpd.git / log
